Google Cloud Asset Inventory Organization Feed
This page shows how to write Terraform for Cloud Asset Inventory Organization Feed and write them securely.
google_cloud_asset_organization_feed (Terraform)
The Organization Feed in Cloud Asset Inventory can be configured in Terraform with the resource name google_cloud_asset_organization_feed
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_cloud_asset_organization_feed" "feed_iam_policy_org" {
for_each = var.feed_iam_policy_orgs
billing_project = var.project_id
org_id = each.key
feed_id = "ram-iam-policy"
content_type = "IAM_POLICY"
resource "google_cloud_asset_organization_feed" "this" {
asset_names = var.asset_names
asset_types = var.asset_types
billing_project = var.billing_project
content_type = var.content_type
feed_id = var.feed_id
Parameters
-
asset_names
optional - list of string
A list of the full names of the assets to receive updates. You must specify either or both of assetNames and assetTypes. Only asset updates matching specified assetNames and assetTypes are exported to the feed. For example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See https://cloud.google.com/apis/design/resourceNames#fullResourceName for more info.
-
asset_types
optional - list of string
A list of types of the assets to receive updates. You must specify either or both of assetNames and assetTypes. Only asset updates matching specified assetNames and assetTypes are exported to the feed. For example: "compute.googleapis.com/Disk" See https://cloud.google.com/asset-inventory/docs/supported-asset-types for a list of all supported asset types.
-
billing_project
required - string
The project whose identity will be used when sending messages to the destination pubsub topic. It also specifies the project for API enablement check, quota, and billing.
-
content_type
optional - string
Asset content type. If not specified, no content but the asset name and type will be returned. Possible values: ["CONTENT_TYPE_UNSPECIFIED", "RESOURCE", "IAM_POLICY", "ORG_POLICY", "ACCESS_POLICY"]
-
feed_id
required - string
This is the client-assigned asset feed identifier and it needs to be unique under a specific parent.
The format will be organizations/[organization_number]/feeds/[client-assigned_feed_identifier].
-
org_id
required - string
The organization this feed should be created in.
-
condition
list block-
description
optional - string
Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
-
expression
required - string
Textual representation of an expression in Common Expression Language syntax.
-
location
optional - string
String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
-
title
optional - string
Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
-
-
feed_output_config
list block-
pubsub_destination
list block-
topic
required - string
Destination on Cloud Pubsub topic.
-
-
-
timeouts
single block
Explanation in Terraform Registry
Describes a Cloud Asset Inventory feed used to to listen to asset updates. To get more information about OrganizationFeed, see:
- API documentation
- How-to Guides
- Official Documentation resource "google_cloud_asset_organization_feed" "organization_feed" { billing_project = "my-project-name" org_id = "123456789" feed_id = "network-updates" content_type = "RESOURCE" asset_types = [
"compute.googleapis.com/Subnetwork", "compute.googleapis.com/Network", ] feed_output_config { pubsub_destination { topic = google_pubsub_topic.feed_output.id } } condition { expression = <<-EOT !temporal_asset.deleted && temporal_asset.prior_asset_state == google.cloud.asset.v1.TemporalAsset.PriorAssetState.DOES_NOT_EXIST EOT title = "created" description = "Send notifications on creation events" }
depends_on = [ Wait for the permission to be ready on the destination topic.
google_pubsub_topic_iam_member.cloud_asset_writer, ] } resource "google_pubsub_topic" "feed_output" { project = "my-project-name" name = "network-updates" } data "google_project" "project" { project_id = "my-project-name" } resource "google_pubsub_topic_iam_member" "cloud_asset_writer" { project = "my-project-name" topic = google_pubsub_topic.feed_output.id role = "roles/pubsub.publisher" member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloudasset.iam.gserviceaccount.com" }
Frequently asked questions
What is Google Cloud Asset Inventory Organization Feed?
Google Cloud Asset Inventory Organization Feed is a resource for Cloud Asset Inventory of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud Asset Inventory Organization Feed?
For Terraform, the BrunoReboul/terraform-google-realtime-asset-monitor and niveklabs/google source code examples are useful. See the Terraform Example section for further details.